The Persecution of Phil Zimmermann, American

This is a copy of my now-available MicroTimes report of a visit from
federal investigators, three days after I publicly critized the FBI and NSA
about a related matter, in an op-ed in the San Francisco Examiner.

Following the report, there are implications as to how similarly-outraged
citizens might take effective action to halt the gross miscarriage of
justice herein detailed.

And there are supplementary thoughts following my visit with a federal
prosecutor who, like the guards at the concentration camps, is just doing
his job.

When I finished it, I could no longer see the keyboard. I was crying -
with frustration and rage and shame that MY nation and MY government could
be doing this.

--jim

[Written on March 2nd, this is appearing in the April, 1995, editions of
MicroTimes, with total circulation exceeding 230,000 in California.]

Is Phil Zimmermann being persecuted? Why? By whom? Who's next?

I write this today, March 2nd, because I envision the possibility of
somehow being enjoined from speaking or writing about this, by a federal
grand jury in San Jose, next Tuesday.

Subpoena follows op-ed

On Wednesday, February 22nd, an op-ed piece that I wrote appeared in the
San Jose Mercury News, captioned, "Encryption could stop computer
crackers." In the wake of massive Internet break-ins, I urged adopting
nationwide, standardized, by-default, end-to-end data-communications and
file encryption using the most-secure scrambling technologies that are
publicly known and published worldwide. I criticized the FBI and NSA
(National Security Agency) for zealously - and successfully - opposing all
such protection, thus seriously endangering innocent citizens and
law-abiding businesses.

On February 26th, a similar op-ed of mine appeared in the Sunday
edition of the combined San Francisco Examiner and San Francisco Chronicle,
emphasizing the unnecessary danger and billions of dollars of losses
resulting from the government's preoccupation with protecting and
greatly-enhancing its evesdropping capabilities.

Three days later, two U.S. Customs Special Agents appeared at my
home, unannounced, and soon handed me a federal grand jury subpoena. I am,
"commanded to appear and testify before the Grand Jury of the United States
District Court," on March 7th.

The subpoena was dated February 27th - the first workday after the Sunday
Examiner's op-ed piece.

Whoever said government is inefficient?

Interview recording prohibited

The agents - two pleasant, businesslike young women - said they were here
about Phil Zimmermann and his encryption software known as PGP, "Pretty
Good Privacy."

I laughed and said, "Oh - okay, come on in," and led them up to my
office, grabbing a tape-recorder along the way.

I sat down and - prominently turning on the recorder - said,
without being confrontational, that I'd like to record the interview.

Woppps! - flag on the play. They said they would want to take a copy of the
tape with them when they left. That was fine with me, so I turned off my
recorder and went for a second recorder from my car.

Drat! - I wish I'd left the recorder running, because when I
returned, they had decided they needed approval from Assistant U.S.
Attorney Bill Keane, the AUSA in charge of investigating Zimmermann and
PGP.

They called Keane. He was out. They left a message, then said that
- in the absence of his approval - they would have to forego the interview,
and made motions to leave. I was curious about what they wanted, and it
occurred to me that I probably couldn't record my testimony before the
grand jury, anyway. So after some discussion, we agreed not to record. In
the process, they offered to allow me to copy their interview notes - which
I thought was a rather-neat show of good faith.
However, before we began, the senior agent

looked at me with a
moment of clear hesitancy and suspicion, and asked several times that I
verify that our conversation was not being recorded. I did, pointing out
that it would be a criminal misdemeanor - in California - if I recorded
them in this private place without their knowledge.

Part-way through the interview, Keane returned his agent's call. I
asked if he say why we couldn't record the interview, with both of us
having a tape. He said only that he didn't wish to have it done.

Apparently we citizens aren't the only ones who are paranoid.

Realworld Big Brother

The interview was relaxed, candid and cordial. The agents said they were
just seeking the facts of what actually happened - to wit:

On April 10, 1991, shortly after the Gulf War, a message from
WHMurray@DOCKMASTER.NCSC.MIL cascaded across the computer nets, warning
about one sentence in buried in a massive "anti-terrorism" bill authored by
Senators Biden and DeConcini. Their Senate Bill 266 declared, "It is the
sense of Congress that providers of electronic communications services and
manufacturers of electronic communications service equipment shall ensure
that communications systems permit the government to obtain the plain text
contents of voice, data, and other communications when appropriately
authorized by law."

Bill Murray, then a computer-security consultant to the NSA, wrote:

"The referenced language requires that manufacturers build
trap-doors into all cryptographic equipment and that providers of
confidential channels reserve to themselves, their agents, and assigns the
ability to read all traffic.

"Are there readers of this list that believe that it is possible
for manufacturers of crypto gear to include such a mechanism and also to
reserve its use to those "appropriately authorized by law" to employ it?

"Are there readers of this list who believe that providers of
electronic communications services can reserve to themselves the ability to
read all the traffic and still keep the traffic "confidential" in any
meaningful sense?

"Is there anybody out there who would buy crypto gear or
confidential services from vendors who were subject to such a law?

"David Kahn asserts that the sovereign always attempts to reserve
the use of cryptography to himself. Nonetheless, if this language were to
be enacted into law, it would represent a major departure. An earlier
Senate went to great pains to assure itself that there were no trapdoors in
the DES [federally-adopted Data Encryption Standard]. Mr. Biden and Mr.
DeConcini want to mandate them.

"The historical justification of such reservation has been
"national security;" just when that justification begins to wane, Mr. Biden
wants to use "law enforcement." Both justifications rest upon appeals to
fear.

"In the United States the people, not the Congress, are sovereign;
it should not be illegal for the people to have access to communications
that the government cannot read. We should be free from unreasonable search
and seizure; we should be free from self-incrimination.

"The government already has powerful tools of investigation at its
disposal; it has demonstrated precious little restraint in their use.

"Any assertion that all use of any such trap-doors would be only
"when appropriately authorized by law" is absurd on its face. It is not
humanly possible to construct a mechanism that could meet that requirement;
any such mechanism would be subject to abuse.

"I suggest that you begin to stock up on crypto gear while you can
still get it."

The net went ballistic over this Orwellian mandate.

PGP - Pretty Good Privacy

Prior to this, Phil Zimmermann, a sometime cryptographer and small computer
consultant near the University of Colorado in Boulder, had been developing
a PC implementation of public-key encryption, as described in the open
literature, published worldwide more than a decade earlier. He had idle
thoughts of possibly making it available as shareware, perhaps for
educational purposes for fellow crypto hobbyists. He called it, "PGP" -
Pretty Good Privacy.

But public-key crypto using any reasonably-robust key-sizes is
reputed to be uncrackable. And intentionally building a back-door into a
beautiful crypto implementation is about like welding a tractor tire on the
back of a classic '63 Corvette - obscene!

Kelly Goen, located in the San Francisco Bay area, was also interested in
crypto. He and Zimmermann became acquainted - as is common among technoids
with similar interests. In that context, Zimmermann apparently gave Goen a
copy of PGP - also common behavior among us propeller-heads.

S. 266 goads guerrilla crypto

When Murray's message flashed across the nets, thousands of us were
infuriated - and frightened. In the wake of the Gulf War, S. 266 seemed
likely to become law, permanently prohibiting Americans from having the
privacy protection that technology could easily provide.

S. 266 would also prohibit PGP - at least in any respectable form.

So - with more than a little of the spirit of freedom that is the
heritage of all Americans - and the help citizens "stock up on crypto gear
while you still can," it was decided to make this privacy protection tool
available to everyone, immediately. Goen would upload copies - fully
annotated sources, binaries and documentation - to as many BBSs (bulletin
board systems) and host-computers around the United States as possible.
Zimmermann agreed - especially since S. 266 would soon outlaw PGP.

A night-time call

Goen sent email to MicroTimes on May 24th, saying, "the intent here is to
invalidate the socalled trap-door provision of the new senate bill coming
down the pike before it has a possibility of making it into law." He said
we could publish details about it, "provided of course mum is the word
until the code is actually flooded to the networks at large."

He also called me - as a MicroTimes columnist, and probably because
I had organized the recently-completed First Conference on Computers,
Freedom & Privacy, or maybe because of my comments on the net critical of
the S. 266 mandate.

I had several conversations with Goen, and later with Zimmermann -
who seemed more passive about the project. Now, four years after the fact,
this is re-constructed from random notes I took at the time, plus my
recollections - some of which remain quite vivid.

D-Day, defending freedom

On a weekend around the first of June, Goen began uploading complete PGP to
systems around the U.S. He called several times, telling me his progress.

He was driving around the Bay Area with a laptop, acoustic coupler
and a cellular phone. He would stop at a pay-phone; upload a number of
copies for a few minutes, then disconnect and rush off to another phone
miles away.

He said he wanted to get as many copies scattered as widely as
possible around the nation before the government could get an injunction
and stop him.

I thought he was being rather paranoid. In light of the following, perhaps
he was just being realistic.

Government counter-attacks

About two years after the PGP uploads, the government began threatening to
prosecute Zimmermann for illegal trafficking in munitions - cryptography.
[He was first visited by U.S. Customs agents on Feb. 17, 1993.] For more
than two years, they have been investigating whether he "exported" PGP. It
appears at press-time that they will probably prosecute him.

The allegation seems to be that, since he permitted someone else -
over whom he had no control anyway - to upload PGP to some Internet hosts
inside the United States, Zimmermann thus exported this controlled
munition!

This ignores the fact that most of those same Internet hosts also
have DES crypto software from AT&T, Sun, SCO and BSD, part of their
standard domestic Unix systems. The DES is under the same export
prohibition as PGP. The same is true for RSA's public-key crypto tools that
reside on thousands of Internet hosts around the nation.

This bizarre lunacy also ignores that public-key was published,
worldwide, fifteen years ago, and is available from numerous foreign
software competitors including entrepreneurs in former Easter Bloc
countries - as is the DES.

Based on what they told me at the time and everything I've learned since then:

Zimmermann never even uploaded PGP files for public access.

Goen studiously limited his uploads to U.S. systems, as permitted
by law and routinely done with identically-regulated AT&T and RSA software.

They certainly didn't care about exporting PGP. Hell, most of the
rest of the world already purchases public-key products from numerous
vendors except U.S. companies.

They did want to pre-empt S. 266 before it became law - just as millions of
people do all the time regarding all sorts of pending legislation. And the
offending mandate was later deleted from S. 266, anyway.

Zimmermann and Goen wanted to protect this nation's citizens. S.
266 wasn't threatening other nation's citizens; it was threatening
Americans!

Why the persecution?

Some apologists say the government is just trying to clarify the law. Bull!

If that's what they want, they should investigate and prosecute
AT&T or Sun or SCO or RSA. Each makes millions peddling systems to U.S.
Internet host-owners that include identically-controlled crypto modules,
particularly including RSA public-key packages that are at-least as
powerful as PGP.

But thugs don't pick on targets that can defend themselves. Goons
go for the frail and weak and helpless - like Phil Zimmermann.

Maybe this is a rogue prosecutor trying to make a name for himself. But
apparently Keane can't seek a grand jury indictment for this "crime"
without clearance from the Department of Justice in Washington.

Maybe it's just our government wasting thousands of staff hours and
millions of dollars to publicly flog Zimmermann as a lesson to any other
pissant citizen who dares to do what AT&T, Sun and RSA can do with
impunity.

This appears to be nothing less than an arrogant, oppressive government
using all of its might and all of its power to flail and torture one poor
citizen, to teach him that he is dirt and intimidate everyone else.

Is this what our nation has become? Is this the America we want?

Coincidental subpoena?

As a footnote, I must say that my initial assumption was that the agents'
arrival two days after my op-ed piece appeared was simply coincidental -
that they were just-now getting around to tying-up loose ends of this
wasteful multi-year investigation. They said they were responding to a
letter I had sent to the grand jury a year or two earlier, when I first
heard they were investigating Zimmermann.

As I write this, and try to maintain some slight semblance of
reason, about half the time I think the timing was accidental - and half
the time I think I'm being naive.

A frightening experience

But I gotta tell ya, I awakened hours before dawn this morning, wondering
if somehow I was going to be the next victim of this governmental
obscenity. The government's stated policy is to attack opponents with
overpowering force. They are certainly doing that to Zimmermann.

I feel threatened and intimidated - and furious and outraged that
it should be happening in MY nation, prosecuted by MY government.

I cry for what Phil Zimmermann must be going through. He had little
financial resources to begin with; this has already cost him, dearly. For
almost two years, he has been under the horrifying threat of wasting all of
his assets including his home, just to defend himself against the
outrageous abuse of a federal government that will go to any expense to
"win."

And if Zimmermann looses, he goes to prison for years of mandatory
incarceration. When he comes out, his young daughter will be a teen-ager.
All because he dared to write a cryptographic program that the government
couldn't crack, that someone else made available to U.S. citizens.

If there is any justice remaining in this nation, this screams out for
immediate redress!

Warren has received the Hugh M. Hefner First Amendment Award (1994), the James
Madison Freedom-of-Information Award from the Society of Professional
Journalists - Northern California (1994) and the Electronic Frontier Foundation Pioneer Award in
its first year (1992). He led the successful 1993 effort to make state
legislation and statutes available via the public nets without state charge
and organized and chaired the landmark First Conference on Computers, Freedom
& Privacy (1991).

He founded InfoWorld, was founding host of PBS' "Computer
Chronicles," founding editor of Dr. Dobb's Journal, and has chaired various
computer and mathematics organizations. He holds graduate degrees in
computing (Stanford), medical information science (UC Medical Center) and
mathematics & statistics, began working as a programmer in 1968, and was a
mathematics teacher and professor for ten years before that. He also serves
on Autodesk's Board of Directors.

Give Us Your Poor, Your Weak ... for Harassment & Intimidation

Copies of other cryptographic software that fall under exactly the same
export controls and prohibitions as PGP - sold by Hewlett-Packard, AT&T,
Sun, SGI, SCO, BSD, etc. - as part of their standard domestic Unix systems
are available on hundreds of thousands of host-computers connected to the
global Internet in the United States. ViaCrypt in Phoenix AZ sells copies
of PGP. MIT provides several versions of PGP - including full source-code
- for free downloading from one of their Internet host computers. US News
and World Reports' Vic Sussman tells me a copy is on Compu$erve.

The prosecutor knows this; I have discussed it with him.

But there is no attempt to indict AT&T, Sun, H-P, SGI, SCO, BSD, etc.
There is no attempt to prosecute MIT or CompuServe for continuing to make
what Phil created freely available via the Internet and CPN. After all,
Compu$erve has a warning in capital letters saying that CI$ customers
outside of the U.S. should not download it. ViaCrypt is not being
investigated for selling PGP throughout the nation - not even to computer
stores located near the Iranian or North Korean Consulates. MIT restricts
access: A PGP recipient must first type "yes" to four questions, and may
have to connect to MIT through one of the more-than-two-million Internet
host-computers in the U.S., by telnet if they are outside the nation.

But PGP's creator - who is not known to have uploaded *any* copies for
public access - and his aquaintance, are the only ones being investigated.

Most of the remainder of this edition of GovAccess details what I know -
and opine (!!) - of why Washington is spending hundreds of thousands of
tax-dollars and thousands of limited staff hours of experienced
investigators and talented legal professionals on this lunatic persecution.

A Grand Jury is Usually the Lapdog of the Prosecutor - BUT ...

There are at least three members of this grand jury who have Internet
accounts, according to cryptographer Charlie Merritt who was testifying
before them and asked them. And the grand jury has been assembled in the
heart of Silicon Valley.

The best address that I can think of for the federal grand jury - composed
of concerned citizens - from which Keane is seeking this indictment, is:

Fore-person and Members
Federal Grand Jury in the Zimmermann/Goen case
280 S. First St.
San Jose CA 95113

I'm told that there are about 25 members, and I doubt that they have a
copier in the grand jury room.

I don't know whether Keane would be violating postal regulations if he
opened and withheld from those addressees, first-class mail addressed in
this manner. I have no evidence to believe that he would withhold it.

Washington is Often Not Involved in a Local Prosecution - BUT ...

My assumption is that Keane is being directed to persecute this
investigation by his superiors in Washington - that it wouldn't be
happening if Washington didn't want it. When I said that to him, he told
me only that his superiors in Washington are kept informed of his actions
and the progress on the case - as one would certainly hope. In fact, I'm
told that he cannot seek an indictment in this kind of case without
approval from Washington.

He's a good lieutenant. Personally, I think he's doing what he's told.

His official, public response would undoubtedly be that he should not get
involved in an ongoing criminal investigation.

But BYTE columnist and sci fi writer Jerry Pournelle has pointed out that
that's absolute nonsense.

Our elected officials damn-well *better* be in charge of their
bureaucrats. And if this President isn't, he needs to be replaced.

The President certainly has the power to pardon and halt criminal
investigations before-the-fact, as Gerald Ford illustrated with Nixon.

Much of Pournelle's June column in BYTE will focus on this case. Pournelle
is urging that the President simply pardon Zimmermann for any possible
wrong-doing, and let him get back to his family and on with his life.
[announced here with Jerry's explicit prior permission]

So what do *you* think?

Don't tell me - tell the folks, above, who *can* make a difference.

--jim

Later Thoughts - After Meeting with Asst US Attorney Keane on Friday, 3/10

On Monday, 3/6, before I was to appear for the grand jury on the following
day, I finally reached Keane. He agreed that I did not need to come down
for the grand jury (now why do I think he wouldn't want me speaking to his
lap-dog? :-), and we agreed instead, that I would come in for an interview
with him and his agents at the end of the week.

As soon as we began, he volunteered that he didn't anticipate that I had
any exposure and didn't consider me a target of their investigation. I
appreciated that. He also said he would tell me if that changed. Oh.

We met for about four hours (folks rarely accuse me of brevity). I was
completely candid, and told them all of the above and lots more - including
most of the opinions ... with which he was very patient. <grin>

I found Keane reasonable, attentive, even-handed and probably a very good
prosecutor (and we *need* good prosecutors). However, my impression was
that he had rather-limited understanding of the nets - e.g., he'd never
even heard of Fidonet, and seemed convinced that the primary way that PGP
was distributed was by USENET from the WELL! (He said that's why they are
pursuing the investigation in California rather than back in Colorado.)

I continued to be favorably impressed by the Customs investigators, and I
honestly don't think Keane is one of the bad guys - though I suspect that
he may be too focused on on the nitty-gritty of seeking evidence for
prosecution, and too-little focused on seeking principled, equitable
*Justice*.

The fact is, I honestly feel a bit sorry for him - because I think he's a
good prosecutor, and I believe Washington is telling him to pursue this
case, which is probably turning into a public relations debacle as its
capricious injustice becomes more and more clear ... and it's Bill Keane's
name and reputation that is going to be trashed.

The real responsibility lies with the anonymous Washington gang, who never
have to face their victims, who are blindly intent on intimidating all of
us by making an example of Zimmermann - just like street-thugs always pick
the frail and weak to terrorize, so as to intimidate a community into
submission.

The only difference is that this time, the community can't turn to the
law-enforcement officials for help.

I told Keane that, okay, WE GOT THE MESSAGE.

God!, I'm ashamed of my government's myopic, self-serving leadership.

Trial attorneys - prosecutors and defense - too-often seem more interested
in "winning" the trial "game" than they are interested in Truth or Justice.
Too-often, they excuse such immorality by saying that the costly, abusive,
terrifying adversarial system will assure Truth and Justice.

Attorneys are the gun-slingers of the 20th Century - but only their clients
get shot.